The reality of the modern malware world is that there is no one product (or two
products) that will catch all of the infections that are circulating on the net.
Sometimes you will need
specialised tools.

This article will start with
clean up routines that get rid of the more basic infections. If
that isn't enough to clean your system then we have to pull out the
heavy armoury. If you find yourself facing a stubborn
malware infection, please visit one of the
recommended help sites. Remember, you're not alone in
this.

There are many people who have helped this FAQ improve over
time - MVPs and newsgroup users. I thank all of you who have made the
newsgroups, anti-malware websites and dedicated mailing lists into such a
wonderful resource.

Read the advice at my prevention link to reduce the chances of your computer being infected.

Some people
recommend that System Restore be turned off and all Restore Points deleted
before attempting spyware removal. DO NOT DO THIS. If something goes
wrong (anything is possible) you will have no way to reverse your actions.
You'll want to delete your old Restore Points, but the time to do that is later,
not now. A discussion about System Restore, malware and best practice can
be found on my blog:http://msmvps.com/spywaresucks/archive/2005/09/17/66724.aspx

Before trying to remove
spyware

Back up all essential data.

Record what you can about the current situation. Take screenshots of
the malware before you start cleaning and save them to a Word document or
into a folder - it will help with identification if the preliminary steps don't
work.

If you are using XPSP2 write this down - it may get things going if you are
unable to access the internet after removing malware: netsh winsock reset

HijackThis. You can also find the latest
version at the author's home site, being
http://www.merijn.org/downloads.htmlImportant note: Some malware is targetting HijackThis and preventing it
from running. Rename the executable to hjt.exe or scan.exe or
bitemebadguys.exe to get around the problem.

After all software has been downloaded, installed
and updated disconnect the computer from the internet and any network to which
it may be attached.

Some malware *will* try to connect to the internet
if it detects attempts to remove it. Do not give it the chance to do so if
at all possible. You will need to reconnect to the internet at
times (for example, for online scans) but as much as is possible keep the computer isolated from the Internet
and from other computers.

Malware removal (beginner's
step-by-step guide)

Some of the
following advice may seem pedantic, or unnecessary, but I strongly advise you to
do everything in the order given to maximise your chances of a successful
outcome. A lot of modern malware, if given the chance, will try to
reinstall itself automatically. The steps below are designed to minimise
the chance of this happening.

A.
Getting ready to disinfect....

Go to Control Panel, Folder Options, View Tab. Turn on the option to show hidden
files. Turn off the option to hide protected system files. Turn off the option
to hide the extensions of known file types. Apply this change to
all folders.***WARNING!! Files are hidden by Windows for a very
good reason. It is not wise to 'experiment' with these files.
Unfortunately, to successfully remove some malware we must turn this protection off. There is a risk to doing
this. Please turn the protection back on when you have finished cleaning
your system.***

Check all 'startup' folders for unwanted malware entries. Windows 95 and 98 users can examine their startup
folder via the Start Menu. Those of us who are using a later operating
system should check ..\Documents and Settings\All Users\Start
Menu\Programs\Startup and ..\Documents and Settings\<username>\Start
Menu\Startup. Move any that you find on to your desktop (note: log on
as administrator to access all startup locations).

Check Add/Remove programs. Some adware
utilises add/remove programs. Remove what you can that way.

Right click the shortcuts that you have moved
out of the startup folders and select 'Properties'.
You will use this list to cross reference
what is found and removed by the anti-spyware applications and ensure
nothing obvious has been missed.

A
target path has been highlighted with a red box in this screen shot (click
on it to see a larger graphic)

The path to your temp folder will change depending on username and operating
system.

Empty:c:\windows\prefetch

Do NOT try to delete the contents of the Windows folder, delete ONLY the contents
of the prefetch folder (yes, believe it or not, some have tried to
delete the Windows folder in its entirety)

Go to Control Panel. Open Internet Options, Temporary Internet Files {Settings Button},
View Objects, Downloaded Program Files. A Windows Explorer
window will open. Unwanted plugins can be removed by right clicking on
the object, and selecting 'remove'.

Go to the
Programs Tab then click on
Manage Add-Ons. Examine the list of 'Add-ons that
have been used by Internet Explorer' and disable anything that you do not
want Internet Explorer to use. If you wish, the add-ons can be
re-enabled at a later time.

Click on the Accessibility button on
the General tab. Make sure there is no style
sheet chosen.
If the option is turned on, turn it OFF.

Once finished,
reboot into safe mode.

You may need
to download and install Update KB888240 to
solve a known problem for XP SP2 where add-ins will sometimes hide themselves from the
Add-On Manager.
The hotfix is available
here (this may already be installed, depending on how up to date your system
is).

Please take screenshots whenever something is detected on your computer. It
will help you remember what was found and removed, and will help us assess the
situation if you need more expert help.

As much as is possible, the following steps
should be completed in safe mode. Sometimes this will not be
possible.

C.
Cleaning your computer - second sweep

Start Windows Defender. Remember you should have updated it as soon
as it was installed, and you should also update it every time it is run (unless
you have already checked for updates that day).

Run a full scan and remove any malware that is
detected.

Once finished, reboot.

Run Windows Defender again. If the
infection is back, note down its name.

D
Cleaning your computer - third sweep

Run a full system scan if you have purchased
any pay-for product and remove any malware detected. Clean any malware
that is detected. Remember you should have updated it as soon as it was
installed, and you should also update it every time it is run (unless you
have already checked for updates that day).

Once finished
reboot into safe mode.

Complete a
second full system scan. If the infection is back, note down its name.

If
you are unable to get on to the internet after cleaning up your computer, run
LSPfix if not using XP. If using XP run Winsockxpfix.
If you are using XP SP2 and are unable to access the internet after removing malware, the following commandline may help
with the need to run Winsockxpfix- it
will reset the winsock catalogue:

netsh winsock reset

Once the computer is clean, and if it applies to the operating
system, create a new restore point. The old ones may, of course, be
infected with the malware and cannot be used.
There are two ways to get rid of infected restore points once you have a new one
available, depending on what
version of XP you are using:

If the malware problem comes back further specialised
assistance is available via various
anti-spyware forums, my preferred forums being
aumha.net,
castlecops and
bleepingcomputer.

You will need to post a HijackThis log at the anti-spyware
forums for analysis, but please make sure that you have attempted to clean your
system as per the advice above before generating the log file.

Removing malware can be an exacting process. If you
don't do things at the right time and in the right way, you may find yourself
having to start all over again - the worst examples of malware will transmute as soon as
any imperfect attempt at removal occurs.

Search the rest of the registry for any reference to
discovered malware files. You may see clues pointing you to files or CLSID that,
in turn, can be examined to reveal even more keys or files. Invariably if you find a malware
reference in the registry it will point you to another component elsewhere.

"Security Central" at Castlecops
is a fantastic resource - you'll find several searchable databases including
CLSID, BHO and ActiveX.

which will in turn reveal malware file names. Sometimes it can be
hard to work out what is a legitimate SharedTaskScheduler entry and what is not,
but if you're seeing those "you have been infected with spyware" fake alerts,
you can bet there is a malware entry there. Use the
Castlecops CLSID
list to check out the keys, and also look at the file names associated with
the CLSID. Obviously unusual or random file names should be looked at with
suspicion.

AppInit_DLLs is especially problematic. If a malware file is referenced
in that key, you will not be able to get rid of it until the reference is
removed, which is no easy task. First you will have to nuke whatever is
monitoring that key and recreating the malware entry. For example:

File X will be mentioned in AppInit_DLLs
File Y will be monitoring AppInit_DLLs

You have to get rid of File Y before you can delete the AppInit_DLLs entry
and afterwards delete File X. Fun, yes?

Some malware dumps HTML files on the local machine for use as fake home pages
or for other uses.

I strongly recommend that unless you have a lot of experience working in this
area that you post details of the
services revealed by services.msc to aumha.net for
professional guidance. If you turn off the wrong service you could cause serious
problems, and at the very worst, leave the computer unbootable.